Baidu API Search
PassAudited by ClawScan on May 16, 2026.
Overview
This appears to be a coherent Baidu search helper, but it uses your Baidu API key, sends search queries to Baidu, and stores local search/cache files.
Install only if you are comfortable giving the skill a Baidu AI Search/AppBuilder API key and sending search terms to Baidu. Use a dedicated key, monitor quota, use --no-cache for sensitive or current searches, and inspect/clear the local runs and cache folders as needed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search topics are sent to Baidu, and use of the skill may spend or exhaust API quota.
The script makes external Baidu API calls for search. This is central to the skill’s stated purpose, but it means user queries leave the local environment and may consume API quota.
ENDPOINT = "https://qianfan.baidubce.com/v2/ai_search/web_search"
Use a dedicated Baidu API key, monitor quota/billing, and use the documented dry-run/cache options when appropriate.
Anyone with access to the environment variable could use the Baidu API key, and the skill’s API calls can act under that key’s quota/permissions.
The code sends the configured API key as a Bearer credential to the Baidu API. This is expected for the integration and the artifacts also warn not to hardcode, print, or log the key.
bearer = f"Bearer {key}"Store the key only in the environment, use the least-privileged or lowest-risk key available, rotate it if exposed, and avoid sharing logs or outputs that might contain configuration details.
Sensitive search topics or results may remain in local run/cache files, and cached data can become stale for current-events questions.
The skill persists search payloads and raw responses locally for reuse. The documentation says keys are not cached, but queries and retrieved content can remain on disk and may be reused until expiry.
The cache stores request payloads and raw API responses. It never stores API keys. ... Default TTL is 24 hours
Use --no-cache for sensitive or current/latest searches, periodically delete local run/cache directories, and avoid searching confidential topics unless local storage is acceptable.